Skip to content

T1056.001 Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.1 Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.2
Item Value
ID T1056.001
Sub-techniques T1056.001, T1056.002, T1056.003, T1056.004
Tactics TA0009, TA0006
Platforms Linux, Network, Windows, macOS
Permissions required Administrator, SYSTEM, User, root
Version 1.1
Created 11 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL can perform keylogging.2049
S0331 Agent Tesla Agent Tesla can log keystrokes on the victim’s machine.138139140141142
G0130 Ajax Security Team Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.155
S0622 AppleSeed AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine.6364
G0007 APT28 APT28 has used tools to perform keylogging.17521176
G0022 APT3 APT3 has used a keylogging tool that records keystrokes in encrypted files.164
G0050 APT32 APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.168
G0082 APT38 APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.183
G0087 APT39 APT39 has used tools for capturing keystrokes.162163
G0096 APT41 APT41 used a keylogger called GEARSHIFT on a target system.80
S0373 Astaroth Astaroth logs keystrokes from the victim’s machine. 99
S0438 Attor One of Attor‘s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.18
S0414 BabyShark BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.126
S0128 BADNEWS When it first starts, BADNEWS spawns a new thread to log keystrokes.110114115
S0337 BadPatch BadPatch has a keylogging capability.81
S0234 Bandook Bandook contains keylogging capabilities.16
S0017 BISCUIT BISCUIT can capture keystrokes.152
S0089 BlackEnergy BlackEnergy has run a keylogger plug-in on a victim.72
S0454 Cadelspy Cadelspy has the ability to log keystrokes on the compromised host.41
S0030 Carbanak Carbanak logs key strokes for configured processes and sends them back to the C2 server.9091
S0348 Cardinal RAT Cardinal RAT can log keystrokes.73
S0261 Catchamas Catchamas collects keystrokes from the victim’s machine.24
S0023 CHOPSTICK CHOPSTICK is capable of performing keylogging.192021
S0660 Clambling Clambling can capture keystrokes on a compromised host.36117
S0154 Cobalt Strike Cobalt Strike can track key presses with a keylogger module.323334
S0338 Cobian RAT Cobian RAT has a feature to perform keylogging on the victim’s machine.48
S0050 CosmicDuke CosmicDuke uses a keylogger.53
S0115 Crimson Crimson can use a module to perform keylogging on compromised hosts.676668
S0625 Cuba Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.54
S0334 DarkComet DarkComet has a keylogging capability.38
G0012 Darkhotel Darkhotel has used a keylogger.172
S1066 DarkTortilla DarkTortilla can download a keylogging module.127
S0673 DarkWatchman DarkWatchman can track key presses with a keylogger module.132
S0187 Daserf Daserf can log keystrokes.4546
S0021 Derusbi Derusbi is capable of logging keystrokes.55
S0213 DOGCALL DOGCALL is capable of logging keystrokes.3031
S0567 Dtrack Dtrack’s dropper contains a keylogging executable.50
S0038 Duqu Duqu can track key presses with a keylogger module.47
S0062 DustySky DustySky contains a keylogger.129
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can capture and store keystrokes.23
S0363 Empire Empire includes keylogging capabilities for Windows, Linux, and macOS systems.6
S0152 EvilGrab EvilGrab has the capability to capture keystrokes.22
S0569 Explosive Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.100101
S0076 FakeM FakeM contains a keylogger module.109
G0085 FIN4 FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.167166
S0381 FlawedAmmyy FlawedAmmyy can collect keyboard events.15
S1044 FunnyDream The FunnyDream Keyrecord component can capture keystrokes.4
S0410 Fysbis Fysbis can perform keylogging.124
S0032 gh0st RAT gh0st RAT has a keylogger.8687
S0531 Grandoreiro Grandoreiro can log keystrokes on the victim’s machine.131
S0342 GreyEnergy GreyEnergy has a module to harvest pressed keystrokes.76
G0043 Group5 Malware used by Group5 is capable of capturing keystrokes.60
S0170 Helminth The executable version of Helminth has a module to log keystrokes.40
G1001 HEXANE HEXANE has used a PowerShell-based keylogger named kl.ps1.154153
S0070 HTTPBrowser HTTPBrowser is capable of capturing keystrokes on victims.39
S0434 Imminent Monitor Imminent Monitor has a keylogging module.3
S0260 InvisiMole InvisiMole can capture keystrokes on a compromised host.122
S0201 JPIN JPIN contains a custom keylogger.37
S0283 jRAT jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.119120
S0088 Kasidet Kasidet has the ability to initiate keylogging.82
G0004 Ke3chang Ke3chang has used keyloggers.170171
S0387 KeyBoy KeyBoy installs a keylogger for intercepting credentials and keystrokes.65
S0526 KGH_SPY KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.123
G0094 Kimsuky Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.17818218118017964
S0437 Kivars Kivars has the ability to initiate keylogging on the infected host.69
S0356 KONNI KONNI has the capability to perform keylogging.151
G0032 Lazarus Group Lazarus Group malware KiloAlfa contains keylogging functionality.158157
S0447 Lokibot Lokibot has the ability to capture input on the compromised host via keylogging.121
S0409 Machete Machete logs keystrokes from the victim’s machine.147148149150
S1016 MacMa MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.134133
S0282 MacSpy MacSpy captures keystrokes.25
G0059 Magic Hound Magic Hound malware is capable of keylogging.165
S0652 MarkiRAT MarkiRAT can capture all keystrokes on a compromised host.135
S0167 Matryoshka Matryoshka is capable of keylogging.112113
G0045 menuPass menuPass has used key loggers to steal usernames and passwords.177
S1059 metaMain metaMain has the ability to log keyboard events.6162
S0455 Metamorfo Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.5657
S0339 Micropsia Micropsia has keylogging capabilities.29
S0149 MoonWind MoonWind has a keylogger.89
S0336 NanoCore NanoCore can perform keylogging on the victim’s machine.143
S0247 NavRAT NavRAT logs the keystrokes on the targeted system.75
S0033 NetTraveler NetTraveler contains a keylogger.130
S0198 NETWIRE NETWIRE can perform keylogging.9495969798
S0385 njRAT njRAT is capable of logging keystrokes.585960
G0049 OilRig OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.159160
S0439 Okrum Okrum was seen using a keylogger tool to capture keystrokes. 42
C0014 Operation Wocao During Operation Wocao, threat actors obtained the password for the victim’s password manager via a custom keylogger.184
S0072 OwaAuth OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.39
S1050 PcShare PcShare has the ability to capture keystrokes.4
S0643 Peppy Peppy can log keystrokes on compromised hosts.67
G0068 PLATINUM PLATINUM has used several different keyloggers.37
S0013 PlugX PlugX has a module for capturing keystrokes per process including window titles.74
S0428 PoetRAT PoetRAT has used a Python tool named klog.exe for keylogging.108
S0012 PoisonIvy PoisonIvy contains a keylogger.7071
S0378 PoshC2 PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.9
S1012 PowerLess PowerLess can use a module to log keystrokes.17
S0194 PowerSploit PowerSploit‘s Get-Keystrokes Exfiltration module can log keystrokes.1011
S0113 Prikormka Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.107
S0279 Proton Proton uses a keylogger to capture keystrokes.25
S0192 Pupy Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.5
S0650 QakBot QakBot can capture keystrokes on a compromised host.103104105
S0262 QuasarRAT QuasarRAT has a built-in keylogger.1213
S0662 RCSession RCSession has the ability to capture keystrokes on a compromised host.3635
S0019 Regin Regin contains a keylogger.77
S0332 Remcos Remcos has a command for keylogging.78
S0375 Remexi Remexi gathers and exfiltrates keystrokes from the machine.84
S0125 Remsec Remsec contains a keylogger component.4344
S0379 Revenge RAT Revenge RAT has a plugin for keylogging.2627
S0240 ROKRAT ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.9392
S0090 Rover Rover has keylogging functionality.78
S0148 RTM RTM can record keystrokes from both the keyboard and virtual keyboard.5152
S0253 RunningRAT RunningRAT captures keystrokes and sends them back to the C2 server.116
G0034 Sandworm Team Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.169
S0692 SILENTTRINITY SILENTTRINITY has a keylogging capability.14
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has a keylogging capability.88
S0649 SMOKEDHAM SMOKEDHAM can continuously capture keystrokes.144145
G0054 Sowbug Sowbug has used keylogging tools.161
S0058 SslMM SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.111
S0018 Sykipot Sykipot contains keylogging functionality to steal passwords.28
S0467 TajMahal TajMahal has the ability to capture keystrokes on an infected host.125
S0595 ThiefQuest ThiefQuest uses the CGEventTap functions to perform keylogging.146
G0027 Threat Group-3390 Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.39173174
S0004 TinyZBot TinyZBot contains keylogger functionality.118
G0131 Tonto Team Tonto Team has used keylogging tools in their operations.156
S0094 Trojan.Karagany Trojan.Karagany can capture keystrokes on a compromised host.128
S0130 Unknown Logger Unknown Logger is capable of recording keystrokes.110
S0257 VERMIN VERMIN collects keystrokes from the victim machine.83
S0670 WarzoneRAT WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.136137
S0161 XAgentOSX XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.106
S0248 yty yty uses a keylogger plugin to gather keystrokes.102
S0330 Zeus Panda Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.85
S0412 ZxShell ZxShell has a feature to capture a remote computer’s keystrokes using a keylogger.8079

Detection

ID Data Source Data Component
DS0027 Driver Driver Load
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. 

  2. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. 

  3. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. 

  4. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  5. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  6. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  7. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. 

  8. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018. 

  9. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  10. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  11. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  12. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  13. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  14. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  15. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  16. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018. 

  17. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  18. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  19. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  20. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  21. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. 

  22. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  23. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  24. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. 

  25. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  26. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  27. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. 

  28. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016. 

  29. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  30. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  31. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  32. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  33. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  34. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  35. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  36. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  37. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  38. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  39. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  40. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  41. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  42. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  43. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  44. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  45. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  46. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  47. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  48. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  49. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  50. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  51. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  52. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  53. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  54. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  55. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  56. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  57. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  58. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  59. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  60. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. 

  61. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  62. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  63. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  64. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  65. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  66. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  67. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  68. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  69. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  70. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. 

  71. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  72. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  73. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  74. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  75. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  76. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  77. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  78. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  79. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  80. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  81. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  82. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  83. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  84. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  85. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014. 

  86. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  87. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  88. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  89. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  90. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  91. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  92. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  93. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. 

  94. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. 

  95. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  96. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  97. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  98. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  99. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  100. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  101. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  102. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  103. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  104. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  105. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  106. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  107. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  108. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  109. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  110. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  111. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  112. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. 

  113. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  114. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  115. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  116. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  117. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  118. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  119. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  120. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. 

  121. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  122. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  123. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. 

  124. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  125. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. 

  126. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  127. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  128. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  129. Kaspersky Lab’s Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014. 

  130. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  131. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  132. Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022. 

  133. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  134. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  135. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  136. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. 

  137. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. 

  138. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  139. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  140. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  141. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. 

  142. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  143. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. 

  144. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  145. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021. 

  146. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  147. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  148. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  149. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  150. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  151. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  152. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  153. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  154. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. 

  155. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. 

  156. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. 

  157. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  158. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  159. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  160. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  161. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  162. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  163. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  164. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  165. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  166. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  167. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  168. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  169. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  170. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  171. Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. 

  172. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. 

  173. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  174. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  175. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  176. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  177. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. 

  178. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  179. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  180. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  181. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  182. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  183. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.